Does Meteor 3 Require (the deprecated) Bcrypt?

vikr00001 · October 3, 2024, 12:21pm

I’m using Meteor 3.

npm is giving me this message:

npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.

It looks like inflight is being installed by bcrypt:

> npm ls inflight
/Volumes/T9/myApp
└─┬ bcrypt@5.1.1
  └─┬ @mapbox/node-pre-gyp@1.0.11
    └─┬ rimraf@3.0.2
      └─┬ glob@7.2.3
        └── inflight@1.0.6

I have the impression from other forum threads that Meteor requires bcrypt.

Is this correct, and, if so, should Meteor switch to using an alternative?

jkuester · October 4, 2024, 7:04am

bcrypt itself is not deprecated unless I totally missed things here. It’s used to securely hash the password before storing in the users document.

If bcrypt has a vulnerable dependency then usually this gets fixed quickly.

vikr00001 · October 4, 2024, 12:47pm

Thanks for this great info.